University of Nottingham 


Response to the Direct Marketing Consultation 


The University welcomes the opportunity to provide feedback on the draft Direct Marketing 
Code of Practice, it is helpful that the guidance has been written in a plain English way with 
lots of useful examples. 


There are however a number of points that the University feels it would be helpful to flesh 
out or that may need some clarification. 


1. 


One of our main concerns is that under the new guidance the term Direct Marketing 
(DM) includes all processing leading up to enabling and supporting Direct Marketing. 
This would potentially mean that we need consent just to hold data rather than 
consent to send direct marketing as we do now 

The University has been following the guidance produced by CASE and we are led to 
believe that the ICO was consulted on this with no objections, so clarity around this 
would be welcomed. 


Pg 6 - states we are unlikely to be able to justify tracing an individual to send them 
new details. Whist UoN has agreed this for emails, this is adding in physical 
addresses. This effectively removes LI as a justification for processing there and we 
feel this section lacks detail on how we are to proceed with this. 


Pg 15 - DM purposes includes "even if does not contain any sales or marketing 
material’ could the University enquire about affinity calls which are relationship 
building and are carried out under LI, which is PECR Compliant. 

It is possible that there is little to no existing relationship with some people called. 


Pg 17 - what types of communications are covered? Our concern is in regards to 
Social Media - we might make a first attempt via LinkedIn (or other Social Media) 
rather than email. Would there be a distinction made for professional marketing 
sites? 


Pg 28 - the example given says that best practice is for the supermarket to check the 
opt-in/out status, of those it wishes to contact, via the opt-in/out status with the 
charity database. We wouldn't be willing to share data for this purpose and we 
wouldn’t want to share data with companies who wish to raise funds on our behalf 
either. 


Pg 31 which says “Good practice recommendation. Get consent for all your direct 
marketing regardless of whether PECR requires it or not.” 

(Good practice is defined by DPA 2018 as “such practice in direct marketing as 
appears to the Commissioner to be desirable having regard to the interests of data 
subjects and others, including compliance with the requirements mentioned in 
subsection (1)(a)"). Are we to ignore any other lawful basis and assume only consent 
is good enough? 


Pg 31 - how would we decide lawful basis? If you have a contractual basis, then DM 
can only be if in direct service of the contract, but according to the guide would also 
include profiling which would have implications for Alumni Relations in all 
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Universities. 

Pg 37 - LIA on prospect research regarding invisible processing. This point does 
have direct tension with CASE guidelines which we have previously mention and is 
forming a lot of the work Universities have undertaken in terms of LIAs. 


Pg 49 - 1 month time limit for PNs, this point conflicts with the Exemption under A14. 


. Pg 50 - No. of exemptions to S14, some examples: 'large amounts of data’. What is 


large amounts or extensive? This really needs a clearer definition. 


Pg 58 - Can we use profiling to better target DM? What is ‘intrusive profiling’? This 
needs to be better explained possibly with examples. 


Pg 60 — Guide states that consent to email someone is specific to that email address 
even though PECR itself simply refers to consent to send email marketing. 


Pg 62 which includes an example of a university updating its address records from 
something like the National Change of Address Database. 

You say "The University has infringed the GDPR by taking this action. Because it is 
unfair to trace individuals in these circumstances and it takes away their control. The 
university's legitimate interest in raising money does not outweigh the rights of the 
alumni to choose not to share their new address.” 

This comes just after a section which described a similar practice and said "However 
in some cases individuals may express a wish for their updated contact details to be 
shared. For example, the individual may have moved house and made clear to a 
third party data source, by ticking a box or some other positive action, that they 
wanted the source to inform further third parties of the change of address.” 

These are contradictory and should be clarified. 


Pg 63 — We cannot assume that someone has forgotten to update us. You have 
stated that consent is specific to particular email address or number, although as per 
point 12 this defers from PECR. But what if they give you a new email via a paper 
form, but don't update preferences? Surely the assumption is that they want us to 
use it otherwise why would give it to us? By failing to use it, we could cause damage 
to a relationship the data subject actually wants and expects. 


Pg 68 - failure to opt out is not consent, but if consent is already gained, then not 
opting out is indication they're happy with the calls. (TPS specific). This section 
seems to be at odds with the TPS’s own guidance on its website. 


Pg 69 - TPS acting as a general objection we feel that this section is not well worded. 
Pg 82 - Processing (not marketing) does not require consent if PECR consent is not 


required for the DM i.e. dispute with how processing and DM are treated elsewhere 
(business). 


